Hello,
My name is Netanel Rubin, I work as a vulnerability researcher at Check Point Software Technologies.
This is a critical vulnerability report for an issue I discovered in the TWiki platform. The successful exploitation of the vulnerability allows an attacker to execute Perl code unauthenticated. The vulnerability has been discovered in a fully patched TWiki (ver 6.0.0).
We would like to report the complete vulnerability description over a private channel. Please contact us at
netanelr@checkpointNOSPAM.com and
shahartal@checkpointNOSPAM.com (my team leader).
If possible, we would also like to coordinate the public disclosure with you.
Best regards,
Netanel.
--
TWiki:Main/NetanelRubin
- 2014-09-30
Mail sent. Thanks!
Our security process is documented at
TWiki:Codev.TWikiSecurityAlertProcess
.
--
TWiki:Main.PeterThoeny
- 2014-09-30
Thank you Netanel, we received the alert and will follow our documented process.
- The plugin handler issue will be tracked here
- The file upload issue is tracked at Item7560
--
TWiki:Main.PeterThoeny
- 2014-10-01
Now fixed in SVN trunk and 6.0 branch
Patch:
--- TWiki/Plugins.pm.save1 2014-01-09 02:10:56.000000000 -0500
+++ TWiki/Plugins.pm 2014-10-01 20:30:36.000000000 -0400
@@ -186,8 +186,11 @@
unless( $allDisabled ) {
if ( $query && defined( $query->param( 'debugenableplugins' ))) {
- @pluginList = split( /[,\s]+/,
- $query->param( 'debugenableplugins' ));
+ @pluginList =
+ grep { /Plugin$/ }
+ map { s/[^a-zA-Z0-9]//go; $_ } # Item7558: Sanitize parameter
+ split( /[,\s]+/, $query->param( 'debugenableplugins' ));
+
} else {
if( $TWiki::cfg{PluginsOrder} ) {
foreach my $plugin( split( /[,\s]+/,
--
TWiki:Main.PeterThoeny
- 2014-10-02